\chapter{Introduction}\label{chap:1}

%INTRODUCTION
%
%
\section{Background}
Malware is a general word for all types of malicious software. Malware includes Virus, Trojan house, Back door, Worm, and other malicious software which are characterized by malicious code.
Because of the widespread use of the Internet, computer users face many dangerous propagations of malware. The modern malware's purpose is commonly illegal profit. For example, a large number of computers are infected by keylogger and $24.3$ billion USD is leveraged  by e-payment system losing \cite{keylogger}. In addition, According to 2010 Annual Security Report, on May 2010, tens of millions computer world wide were infected by email worm such as “I LOVE YOU”, “LOVE LETTER, “LOVEBUG”\cite{Symantec}. As a result tasks such as preventing, detecting, and removing malware are very important for network security.
	
\section{Malware analysis problem}	
This session will be a detailed introduction on malware analysis of security professionals. Malware analysis is the process of analysing the purpose and functionally of a malware. Malware analysis purpose is understanding of characteristics that all viruses in a family have in common and create a set of signatures in order to detect malwares. In addition, the knowledge about the purpose and functionally of a malware is important for removal.

Commonly, dynamic and static malware analysis have been applied. When new malware is detected, dynamic malware analysis technique executes malware in the Virtual Machine using ProcMon, RegShot, and other tools. These tools are used to identify the general behavioral analysis techniques such as network traffic analysis, file system, and other Window features such as service, process, and the registry. 

However, the dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as \emph{time bombs} or \emph{logic bombs} and can be slow and tedious to identify and disable code analysis techniques to unpack the code for examination \cite{georg}. Furthermore, it takes large amount of time to prepare malware analyzing environment to analyze malware such as virtual machine environment. However, some malware can not be executed in those kind of environment.

With the static malware analysis technique, researchers perform reverse engineering using IDA Pro and Ollydbg tool to analyze malware based on its structure in order to discover its purpose and functionality but it takes a lot of time to see the malware structure. 

Malware analysis is necessary to understand the behavior of malware. As a result, malware signature is created to effectively detect malware. Nevertheless, it wastes much time to find out the behavior and characteristic of malware.

With a vast amount of samples increasing day by day, it is harder for anti-virus industry and virus researchers to analyze malware without information of new malware. In order to reduce time of malware analysis, it is necessary to have an automatic malware classification system.

\section{Approach}

The thesis focused on two following issues:
\begin{itemize}
\item Automatically perform fast malware classification based on malware file's meta-data Use a machine learning technique, called decision tree algorithm to classify unknown malwares or subspecies rapidly and correctly.

\item Help researcher to understand which family malware belongs to and detect some semantic information about malware. 
\end{itemize}

For those reason, in this paper, an approach is proposed to perform fast malware classification based on malware's meta-data using machine learning technique known as decision tree.

\section{Thesis outline}
The rest of this thesis is structured as follows: \begin{itemize}
\item Chapter 2 describes malware meta-data, and method in the static classification of malware. Insight is provided to understand the purpose of method given in this research.
\item Chapter 3 presents the other malware static classification approach.
\item Chapter 4 gives approach, design and operation of malware classification system.
\item Chapter 5 mentions environment and implementation of static malware system.
\item Chapter 6 shows the system evaluation method and results. 
\item Summary, the conclusion and future work are presented in chapter 7
\end{itemize}
